]> git-server-git.apps.pok.os.sepia.ceph.com Git - ceph.git/commitdiff
mgr/dashboard: Manager should complain about wrong dashboard certificate 27742/head
authorVolker Theile <vtheile@suse.com>
Mon, 18 Mar 2019 16:00:09 +0000 (17:00 +0100)
committerTatjana Dehler <tdehler@suse.com>
Wed, 24 Apr 2019 12:03:38 +0000 (14:03 +0200)
Fixes: https://tracker.ceph.com/issues/24453
Signed-off-by: Volker Theile <vtheile@suse.com>
(cherry picked from commit a9ba5ba152cd54c3b4c94f5627cc85239906fe67)

src/pybind/mgr/dashboard/module.py

index a8a3ec07c1ca203cbf103d91c3765749c4f6f378..71760d7f0f5f6f0167f33677acd20bb9a664aeb6 100644 (file)
@@ -13,7 +13,7 @@ import tempfile
 import threading
 import time
 from uuid import uuid4
-from OpenSSL import crypto
+from OpenSSL import crypto, SSL
 from mgr_module import MgrModule, MgrStandbyModule, Option
 
 try:
@@ -103,6 +103,7 @@ class CherryPyConfig(object):
     Class for common server configuration done by both active and
     standby module, especially setting up SSL.
     """
+
     def __init__(self):
         self._stopping = threading.Event()
         self._url_prefix = ""
@@ -117,6 +118,7 @@ class CherryPyConfig(object):
     def url_prefix(self):
         return self._url_prefix
 
+    # pylint: disable=too-many-branches
     def _configure(self):
         """
         Configure CherryPy and initialize self.url_prefix
@@ -195,6 +197,37 @@ class CherryPyConfig(object):
             if not os.path.isfile(pkey_fname):
                 raise ServerConfigException('private key %s does not exist' % pkey_fname)
 
+            # Do some validations to the private key and certificate:
+            # - Check the type and format
+            # - Check the certificate expiration date
+            # - Check the consistency of the private key
+            # - Check that the private key and certificate match up
+            try:
+                with open(cert_fname) as f:
+                    x509 = crypto.load_certificate(crypto.FILETYPE_PEM, f.read())
+                    if x509.has_expired():
+                        self.log.warning(
+                            'Certificate {} has been expired'.format(cert_fname))
+            except (ValueError, crypto.Error) as e:
+                raise ServerConfigException(
+                    'Invalid certificate {}: {}'.format(cert_fname, str(e)))
+            try:
+                with open(pkey_fname) as f:
+                    pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, f.read())
+                    pkey.check()
+            except (ValueError, crypto.Error) as e:
+                raise ServerConfigException(
+                    'Invalid private key {}: {}'.format(pkey_fname, str(e)))
+            try:
+                context = SSL.Context(SSL.TLSv1_METHOD)
+                context.use_certificate_file(cert_fname, crypto.FILETYPE_PEM)
+                context.use_privatekey_file(pkey_fname, crypto.FILETYPE_PEM)
+                context.check_privatekey()
+            except crypto.Error as e:
+                self.log.warning(
+                    'Private key {} and certificate {} do not match up: {}'.format(
+                        pkey_fname, cert_fname, str(e)))
+
             config['server.ssl_module'] = 'builtin'
             config['server.ssl_certificate'] = cert_fname
             config['server.ssl_private_key'] = pkey_fname